From: "mame (Yusuke Endoh) via ruby-core" <ruby-core@ml.ruby-lang.org>
To: ruby-core@ml.ruby-lang.org
Cc: "mame (Yusuke Endoh)" <noreply@ruby-lang.org>
Subject: [ruby-core:115742] [Ruby master Bug#20050] Segfault on Ruby 3.2.2 (and 3.1) on x86_64 Darwin 20 (rb_id_table_lookup for #hash)
Date: Thu, 14 Dec 2023 10:57:06 +0000 (UTC) [thread overview]
Message-ID: <redmine.journal-105675.20231214105706.1181@ruby-lang.org> (raw)
In-Reply-To: redmine.issue-20050.20231207195741.1181@ruby-lang.org
Issue #20050 has been updated by mame (Yusuke Endoh).
I'm not sure if this is really the same problem, but I was able to segfault with the following code.
```ruby
srand(0)
class Foo
def to_a
[]
end
def hash
$h.delete($h.keys.sample) if rand < 0.1
to_a.hash
end
end
GC.stress = true
100.times do
$h = {}
(0..10).each {|i| $h[Foo.new] ||= {} }
end
```
```
t.rb:17: [BUG] Segmentation fault at 0x0000000000000034
ruby 3.3.0dev (2023-12-14T08:39:42Z master e51f9e9f75) [x86_64-linux]
-- Control frame information -----------------------------------------------
c:0007 p:---- s:0029 e:000028 CFUNC :hash
c:0006 p:0021 s:0026 e:000021 BLOCK ../t.rb:17 [FINISH]
c:0005 p:---- s:0018 e:000017 CFUNC :each
c:0004 p:0009 s:0014 e:000013 BLOCK ../t.rb:17
c:0003 p:0025 s:0011 e:000010 METHOD <internal:numeric>:237
c:0002 p:0025 s:0006 e:000005 EVAL ../t.rb:15 [FINISH]
c:0001 p:0000 s:0003 E:001dd0 DUMMY [FINISH]
-- Ruby level backtrace information ----------------------------------------
../t.rb:15:in `<main>'
<internal:numeric>:237:in `times'
../t.rb:17:in `block in <main>'
../t.rb:17:in `each'
../t.rb:17:in `block (2 levels) in <main>'
../t.rb:17:in `hash'
-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1
-- Machine register context ------------------------------------------------
RIP: 0x0000564aa444d3ab RBP: 0x00007f48494e4b00 RSP: 0x00007fffa788b410
RAX: 0x0000000000000000 RBX: 0x0000564aa6749e40 RCX: 0x0000564aa444d370
RDX: 0x0000000000000000 RDI: 0x0000000000000024 RSI: 0x0000000000000000
R8: 0x0000000000000ac1 R9: 0x00007f48494e4b00 R10: 0x0000000000000000
R11: 0x0000000000000024 R12: 0x0000564aa6709580 R13: 0x0000564aa6709580
R14: 0x00007f48495feec0 R15: 0x0000000000000000 EFL: 0x0000000000010293
-- C level backtrace information -------------------------------------------
/home/mame/work/ruby/miniruby(rb_print_backtrace+0x14) [0x564aa4585a94] /home/mame/work/ruby/vm_dump.c:820
/home/mame/work/ruby/miniruby(rb_vm_bugreport) /home/mame/work/ruby/vm_dump.c:1151
/home/mame/work/ruby/miniruby(rb_bug_for_fatal_signal+0x14c) [0x564aa43bd4dc] /home/mame/work/ruby/error.c:1065
/home/mame/work/ruby/miniruby(sigsegv+0x53) [0x564aa44e6633] /home/mame/work/ruby/signal.c:920
/lib/x86_64-linux-gnu/libc.so.6(0x7f4849a42910) [0x7f4849a42910]
./miniruby(rb_float_noflonum_value+0x0) [0x564aa444d3ab]
/home/mame/work/ruby/miniruby(rb_float_flonum_value) ./internal/numeric.h:240
/home/mame/work/ruby/miniruby(rb_float_value_inline) ./internal/numeric.h:238
/home/mame/work/ruby/miniruby(flo_hash) /home/mame/work/ruby/numeric.c:1652
/home/mame/work/ruby/miniruby(vm_call0_cfunc_with_frame+0xca) [0x564aa457e356] ./vm_eval.c:173
/home/mame/work/ruby/miniruby(vm_call0_cfunc) ./vm_eval.c:187
/home/mame/work/ruby/miniruby(vm_call0_body) ./vm_eval.c:233
/home/mame/work/ruby/miniruby(rb_funcallv+0x212) [0x564aa4564902] ./vm_eval.c:110
/home/mame/work/ruby/miniruby(vm_catch_protect+0xfe) [0x564aa456a91e] ./vm_eval.c:2369
/home/mame/work/ruby/miniruby(exec_recursive+0x216) [0x564aa4529e76] /home/mame/work/ruby/thread.c:5179
/home/mame/work/ruby/miniruby(obj_any_hash+0x56) [0x564aa43f2486] /home/mame/work/ruby/hash.c:218
/home/mame/work/ruby/miniruby(any_hash+0x4c) [0x564aa43f239c] /home/mame/work/ruby/hash.c:203
/home/mame/work/ruby/miniruby(do_hash+0x6) [0x564aa44ee2d8] /home/mame/work/ruby/st.c:320
/home/mame/work/ruby/miniruby(rb_st_add_direct) /home/mame/work/ruby/st.c:1183
/home/mame/work/ruby/miniruby(ar_try_convert_table+0xbf) [0x564aa43f35df] /home/mame/work/ruby/hash.c:714
/home/mame/work/ruby/miniruby(RHASH_ST_TABLE+0x0) [0x564aa43f456e] /home/mame/work/ruby/hash.c:1641
/home/mame/work/ruby/miniruby(rb_hash_stlike_update) /home/mame/work/ruby/hash.c:1648
/home/mame/work/ruby/miniruby(tbl_update) /home/mame/work/ruby/hash.c:1689
./miniruby(rb_hash_aset+0xa7) [0x564aa43f44f7]
/home/mame/work/ruby/miniruby(vm_exec_core+0x5708) [0x564aa4560098] ./vm_insnhelper.c:6328
/home/mame/work/ruby/miniruby(vm_exec_loop+0x0) [0x564aa45598ad] /home/mame/work/ruby/vm.c:2486
/home/mame/work/ruby/miniruby(rb_vm_exec) /home/mame/work/ruby/vm.c:2489
./miniruby(invoke_block_from_c_bh+0x469) [0x564aa4580439]
/home/mame/work/ruby/miniruby(vm_yield_with_cref+0x46) [0x564aa45686f5] /home/mame/work/ruby/vm.c:1634
/home/mame/work/ruby/miniruby(vm_yield) /home/mame/work/ruby/vm.c:1642
/home/mame/work/ruby/miniruby(rb_yield_0) ./vm_eval.c:1366
/home/mame/work/ruby/miniruby(rb_yield) ./vm_eval.c:1382
/home/mame/work/ruby/miniruby(range_each_fixnum_loop+0x32) [0x564aa44a1df8] /home/mame/work/ruby/range.c:911
/home/mame/work/ruby/miniruby(range_each) /home/mame/work/ruby/range.c:948
/home/mame/work/ruby/miniruby(vm_call_cfunc_with_frame_+0xf4) [0x564aa4578574] ./vm_insnhelper.c:3490
/home/mame/work/ruby/miniruby(vm_sendish+0xd6) [0x564aa455cd2b] ./vm_insnhelper.c:5581
/home/mame/work/ruby/miniruby(vm_exec_core) /home/mame/work/ruby/insns.def:814
/home/mame/work/ruby/miniruby(vm_exec_loop+0x0) [0x564aa45598ad] /home/mame/work/ruby/vm.c:2486
/home/mame/work/ruby/miniruby(rb_vm_exec) /home/mame/work/ruby/vm.c:2489
/home/mame/work/ruby/miniruby(rb_ec_exec_node+0x2b) [0x564aa43c985b] /home/mame/work/ruby/eval.c:287
/home/mame/work/ruby/miniruby(ruby_run_node) /home/mame/work/ruby/eval.c:328
/home/mame/work/ruby/miniruby(rb_main+0x1c) [0x564aa4318605] ./main.c:39
/home/mame/work/ruby/miniruby(main) ./main.c:58
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_call_main+0x80) [0x7f4849a280d0] ../sysdeps/nptl/libc_start_call_main.h:58
/lib/x86_64-linux-gnu/libc.so.6(call_init+0x0) [0x7f4849a28189] ../csu/libc-start.c:360
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main_impl) ../csu/libc-start.c:347
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main) (null):0
[0x564aa43184c5]
```
@martinemde Question to confirm if this is the same problem as yours: Does bundler access the hash in question ([Bundler::Checksum::Store's @store](https://github.com/rubygems/rubygems/commit/34d6c6c72f6099c83860d81b9810d0b1441d802d#diff-63b5dabde4934e1fdd1bf24aea2b5bcfa5c4c3bbcf28112bc10e46cb4a73c30aL167)) from multiple threads in parallel?
The problem I found occurs when a Hash is updated from another thread while `ar_try_convert_table` is converting the internal representation of the hash. Since the key implements `#hash` method in Ruby, I think a context switch is possible during the conversion of `ar_try_convert_table`.
----------------------------------------
Bug #20050: Segfault on Ruby 3.2.2 (and 3.1) on x86_64 Darwin 20 (rb_id_table_lookup for #hash)
https://bugs.ruby-lang.org/issues/20050#change-105675
* Author: martinemde (Martin Emde)
* Status: Open
* Priority: Normal
* ruby -v: ruby 3.2.2 (2023-03-30 revision e51014f9c0) [x86_64-darwin20]
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN
----------------------------------------
Hi,
In the rubygems & bundler repositories we've now had two segfaults in the same exact code within days of merging a change to that code, both on ruby 3.2.2 on darwin20.
1. https://github.com/rubygems/rubygems/actions/runs/7110489973/job/19357067789?pr=7129
2. https://github.com/rubygems/rubygems/actions/runs/7131889001/job/19421304163?pr=7228
The specific error seems to happen when calculating the hash of the array in Gem::NameTuple#hash. The array contents that is being `.hash`ed both times should be exactly: `["has_metadata", "1.0", "ruby"]`. If I'm reading this correctly, this indicates that the crash is related either to creating this hash or storing this hash in the hash table (I'm not quite sure which is triggering the crash).
An excerpt of the C backtrace shows the same backtrace for both crashes:
```
-- C level backtrace information -------------------------------------------
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_vm_bugreport+0x7c4) [0x10cb0f994]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_bug_for_fatal_signal+0x1d0) [0x10c9158c0]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(sigsegv+0x5b) [0x10ca609ab]
/usr/lib/system/libsystem_platform.dylib(_sigtramp+0x1d) [0x7ff810c14dfd]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_id_table_lookup+0x16) [0x10caa2a56]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(callable_method_entry_or_negative+0x5e) [0x10cae9c8e]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_check_funcall_basic_kw+0x129) [0x10caf0039]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(obj_any_hash+0x3c) [0x10c94bd2c]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(any_hash+0x52) [0x10c94bc12]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_st_add_direct+0x1d) [0x10ca69b7d]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(ar_try_convert_table+0x85) [0x10c94d015]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_hash_aset+0x18f) [0x10c94e26f]
```
I'm not sure how to follow this instruction in this case on GitHub actions: "Don't forget to include the Crash Report log file under DiagnosticReports directory in bug reports."
I have not been able to reproduce this locally with the same version of ruby (but I'm on darwin22 instead of 20). I will follow up if we continue to see this same crash.
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/
next prev parent reply other threads:[~2023-12-14 10:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-07 19:57 [ruby-core:115649] [Ruby master Bug#20050] Segfault on Ruby 3.2.2 on x86_64 Darwin 20 (maybe in Array#hash) martinemde (Martin Emde) via ruby-core
2023-12-08 17:42 ` [ruby-core:115662] " martinemde (Martin Emde) via ruby-core
2023-12-12 1:37 ` [ruby-core:115712] " martinemde (Martin Emde) via ruby-core
2023-12-13 23:23 ` [ruby-core:115738] " martinemde (Martin Emde) via ruby-core
2023-12-14 7:54 ` [ruby-core:115740] [Ruby master Bug#20050] Segfault on Ruby 3.2.2 (and 3.1) on x86_64 Darwin 20 (rb_id_table_lookup for #hash) martinemde (Martin Emde) via ruby-core
2023-12-14 10:57 ` mame (Yusuke Endoh) via ruby-core [this message]
2023-12-14 11:37 ` [ruby-core:115743] " Eregon (Benoit Daloze) via ruby-core
2023-12-14 18:59 ` [ruby-core:115746] " ko1 (Koichi Sasada) via ruby-core
2023-12-16 5:50 ` [ruby-core:115761] " martinemde (Martin Emde) via ruby-core
2024-03-28 5:01 ` [ruby-core:117356] " kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core
2024-04-08 9:42 ` [ruby-core:117465] " nagachika (Tomoyuki Chikanaga) via ruby-core
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.ruby-lang.org/en/community/mailing-lists/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=redmine.journal-105675.20231214105706.1181@ruby-lang.org \
--to=ruby-core@ruby-lang.org \
--cc=noreply@ruby-lang.org \
--cc=ruby-core@ml.ruby-lang.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).